The senior director of GovTech's cybersecurity group shares how organisations can bake security into their products or systems from the start, at the Computerworld Singapore Security Summit 2017

Chai Chin Loon, senior director of the cybersecurity group of Singapore's Government Technology Agency (GovTech), speaking at the Computerworld Singapore Security Summit 2017.

"As threats grow in scale and sophistication, our approach in addressing them must evolve too," asserted Chai Chin Loon, senior director of the cybersecurity group of Singapore's Government Technology Agency (GovTech). He was speaking at the recent Computerworld Singapore Security Summit 2017.

One notable cyber threat is a Mirai, a malware that automatically finds Internet of Things (IoT) devices to infect and turn them into botnets that can be centrally controlled. The more than 500,000 infected IoT devices were then used for distributed denial of service (DDoS) attacks on companies including Dyn last year.

Since Dyn provides domain name systems for many online sites, the DDoS attack on it caused popular online sites, like Twitter, Amazon and AirBnB to become temporarily unavailable, said Loon.

He thus stressed the need for organisations to start "thinking about security holistically. Organisations need to be able to prepare, prevent, detect, respond and learn."

He added that businesses need to adopt the security-by-design approach. This means that security is one of the early considerations when designing and building the products, instead of treating security as an add-on to a developed solution.

To do so, Chai advised IT and cybersecurity professionals to:

Develop risk-based security policies.

Adopt industry best practices and established standards for security controls in the design process.

Separate staging and production environments, as well as automate security testing within continuous integration during deployment.

Conduct penetration and security acceptance tests, as well as vulnerability assessment.

End users have a role in cybersecurity too. They need to practise good cyber hygiene by securing and patching their IoT devices regularly. They should also report potential breaches and suspicious events as soon as they spot any, to their IT/cybersecurity teams, said Chai.